Commit 7f12e26a authored by Johannes Berg's avatar Johannes Berg

wifi: cfg80211: make hash table duplicates more survivable

Jiazi Li reported that they occasionally see hash table duplicates
as evidenced by the WARN_ON() in rb_insert_bss() in this code.  It
isn't clear how that happens, nor have I been able to reproduce it,
but if it does happen, the kernel crashes later, when it tries to
unhash the entry that's now not hashed.

Try to make this situation more survivable by removing the BSS from
the list(s) as well, that way it's fully leaked here (as had been
the intent in the hash insert error path), and no longer reachable
through the list(s) so it shouldn't be unhashed again later.

Link: https://lore.kernel.org/r/20231026013528.GA24122@Jiazi.LiSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Link: https://msgid.link/20240607181726.36835-2-johannes@sipsolutions.netSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 5f12dd57
...@@ -1604,7 +1604,7 @@ struct cfg80211_bss *__cfg80211_get_bss(struct wiphy *wiphy, ...@@ -1604,7 +1604,7 @@ struct cfg80211_bss *__cfg80211_get_bss(struct wiphy *wiphy,
} }
EXPORT_SYMBOL(__cfg80211_get_bss); EXPORT_SYMBOL(__cfg80211_get_bss);
static void rb_insert_bss(struct cfg80211_registered_device *rdev, static bool rb_insert_bss(struct cfg80211_registered_device *rdev,
struct cfg80211_internal_bss *bss) struct cfg80211_internal_bss *bss)
{ {
struct rb_node **p = &rdev->bss_tree.rb_node; struct rb_node **p = &rdev->bss_tree.rb_node;
...@@ -1620,7 +1620,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev, ...@@ -1620,7 +1620,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev,
if (WARN_ON(!cmp)) { if (WARN_ON(!cmp)) {
/* will sort of leak this BSS */ /* will sort of leak this BSS */
return; return false;
} }
if (cmp < 0) if (cmp < 0)
...@@ -1631,6 +1631,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev, ...@@ -1631,6 +1631,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev,
rb_link_node(&bss->rbn, parent, p); rb_link_node(&bss->rbn, parent, p);
rb_insert_color(&bss->rbn, &rdev->bss_tree); rb_insert_color(&bss->rbn, &rdev->bss_tree);
return true;
} }
static struct cfg80211_internal_bss * static struct cfg80211_internal_bss *
...@@ -1657,6 +1658,34 @@ rb_find_bss(struct cfg80211_registered_device *rdev, ...@@ -1657,6 +1658,34 @@ rb_find_bss(struct cfg80211_registered_device *rdev,
return NULL; return NULL;
} }
static void cfg80211_insert_bss(struct cfg80211_registered_device *rdev,
struct cfg80211_internal_bss *bss)
{
lockdep_assert_held(&rdev->bss_lock);
if (!rb_insert_bss(rdev, bss))
return;
list_add_tail(&bss->list, &rdev->bss_list);
rdev->bss_entries++;
}
static void cfg80211_rehash_bss(struct cfg80211_registered_device *rdev,
struct cfg80211_internal_bss *bss)
{
lockdep_assert_held(&rdev->bss_lock);
rb_erase(&bss->rbn, &rdev->bss_tree);
if (!rb_insert_bss(rdev, bss)) {
list_del(&bss->list);
if (!list_empty(&bss->hidden_list))
list_del_init(&bss->hidden_list);
if (!list_empty(&bss->pub.nontrans_list))
list_del_init(&bss->pub.nontrans_list);
rdev->bss_entries--;
}
rdev->bss_generation++;
}
static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev, static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev,
struct cfg80211_internal_bss *new) struct cfg80211_internal_bss *new)
{ {
...@@ -1969,9 +1998,7 @@ __cfg80211_bss_update(struct cfg80211_registered_device *rdev, ...@@ -1969,9 +1998,7 @@ __cfg80211_bss_update(struct cfg80211_registered_device *rdev,
bss_ref_get(rdev, bss_from_pub(tmp->pub.transmitted_bss)); bss_ref_get(rdev, bss_from_pub(tmp->pub.transmitted_bss));
} }
list_add_tail(&new->list, &rdev->bss_list); cfg80211_insert_bss(rdev, new);
rdev->bss_entries++;
rb_insert_bss(rdev, new);
found = new; found = new;
} }
...@@ -3349,19 +3376,14 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev, ...@@ -3349,19 +3376,14 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev,
if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new))) if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new)))
rdev->bss_generation++; rdev->bss_generation++;
} }
cfg80211_rehash_bss(rdev, cbss);
rb_erase(&cbss->rbn, &rdev->bss_tree);
rb_insert_bss(rdev, cbss);
rdev->bss_generation++;
list_for_each_entry_safe(nontrans_bss, tmp, list_for_each_entry_safe(nontrans_bss, tmp,
&cbss->pub.nontrans_list, &cbss->pub.nontrans_list,
nontrans_list) { nontrans_list) {
bss = bss_from_pub(nontrans_bss); bss = bss_from_pub(nontrans_bss);
bss->pub.channel = chan; bss->pub.channel = chan;
rb_erase(&bss->rbn, &rdev->bss_tree); cfg80211_rehash_bss(rdev, bss);
rb_insert_bss(rdev, bss);
rdev->bss_generation++;
} }
done: done:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment